Tag: RSA-Authored

EMCworld Wrap Up Part 1–Automation, Security and a Razor

Wow, what an amazing week! While it’s still fresh in my head, I thought I’d write about something that I witnessed at EMCworld. I’ll do another post on the sessions I gave later.

Automation and Security?

“Ok, what’s this “auto-mation” thing of which you speak Mike? And why, as a security guy, should I care?”

Razor

Well, the coolest thing was a project known as “Razor”. It was done by EMC’s Nick Weaver. Nick, also known as @lynxbat on Twitter, works in the EMC Office of the CTO. Nick is one of those guys that you show a new programming language to and after the weekend, he’s written something in it that blows your mind. All us geeks aspire to having those kinds of chops.

So, Nick worked with Puppet Labs on a project called Razor. The one sentence/paragraph description is “A tool that can, from bare metal, provision an OS” Honestly, that’s about the lamest description ever of what it can do! You NEED to read up on it here then come back to finish what I wrote… I’ll wait……

Ok, you’re back. Now why is this important to security? Well, Chuck Hollis (@chuckhollis), the EMC CTO of Marketing, hit the nail on the head in his blog on the Puppet and Razor stuff when he said

It doesn’t take to long to realize that there are some interesting areas where this could potentially go over time.  Obviously, what’s been done for server resources could also be applied to storage and perhaps network. And, of course, EMC has some nice upper level IT governance management framework tools (e.g. Archer, Ionix) where policy can be specified and reported on.

Archer? RSA Archer? Yea, that Archer. Imagine if you will the ability to attest (there’s a big security word) to the validity of a server from the point of powering on to the system running and serving up what it serves up? You know how it was built, what was installed on it, who did what, when, where and how. Now, feed all that information into an eGRC solution like Archer and when the auditors come calling, you have a record and that record lines up with the security policies that are in effect. Need to build a server to handle PCI stuff? Here’s the record of how it was built and it’s mapped to all the PCI compliance regs. All in an automated fashion.

Combine that with a SIEM solution that can take in events that change the configuration and now you’re cooking with gas. You can attest to every change from creation to destruction. And map it all to policy.

It was a VERY insightful post Chuck made. When I saw Razor in action, that’s exactly what I thought. I ran into Chuck one evening at EMCworld and told him so.

Security at Scale

THIS is part of the “security at scale” issue that we as an industry are facing. The old ways of managing security just won’t scale to the levels of “cloud” (there I go, saying that word. For me, cloud = scale. ‘nuff said) You NEED to leverage automation. There’s just too many moving parts to keep track of manually. (more on that one in a later post!)

So for you IT guys who are wondering about security in a virtual environment, run over and start playing with Razor (did I mention it’s Open Sourced??????!!!!) and think about how you can help the security guy by giving him measurable results in a consistent fashion.

For you security folks, guess what, it’s time you look at all the cool tools that are available to the IT folks that can help you measure compliance. The depth of these tools is amazing. And the ability to pump it all into Archer to map it to the compliance policies makes your job infinitely easier.

I’m heading into Boston in a couple of weeks to learn more about Puppet and about Razor. Hopefully I’ll have more to talk about then!

Let me know what you think!

thanks for reading,

mike

VMworld 2012 – Time to Vote!

Hi all,

I’ve submitted four sessions for VMworld 2012. Three of them I’ve submitted with my vPartner in Crime here at RSA, Brian Tobia. [His Blog]

Here are the sessions and their descriptions.

#2316 Session Title: IT Tools for Security Guys – vCenter Orchestrator
Session Abstract: Using vCenter Orchestrator and your Security Incident and Event Manager together to alert on out of policy actions.

#2315 Session Title: vShield for Beginners
Session Abstract: Understand the 3 components (app, endpoint & edge) of the vShield family. Introduce the concepts of security groups and the application of policies (AV, DLP, etc) at a group/business aligned level

#2324 Session Title: Mirror, Mirror – And introduction to network monitoring and packet capture in a virtual environment
Session Abstract: Introduction to the port mirroring capabilities and current limitations of the VMware Distributed Virtual Switch.

Also, for those of you who can vote for sessions that are not available to public voting, please check out #2326. I’d like to include the title here, but in order to respect confidentiality as the session depends on an unannounced feature of a future VMware product, I’ll leave that up to others to disclose. :)

Go VOTE!

And Thanks!

There’s no silver bullet

I’m frequently asked about virtualization and cloud security. Usually it starts with a phone call from a sales guy asking “How do I secure the Vblock?” or “What can we sell to secure VMware?” I usually counter these statement with “Tell me the problem you’re trying to solve”.

Once I know what’s actually being asked, I’m usually left having to break the news. There’s no silver bullet. I can’t send you a USB key with the “Secure the Vblock” app on it so you can plug it in and “make it secure”. <\bubble burst>

“But why not Mike?” It’s because there’s just too many moving pieces and too many definitions of what “secure” means. Let’s break that down a bit.

How many moving pieces? Tons. When you think of all the settings you can change that could possibly impact security, it starts to boggle the mind. I’m reminded of two things. “The Butterfly Effect” where one change in a nonlinear system can radically change the outcome and the Mandlebrot fractals, where changing one variable can change the image displayed.

What’s your definition of “secure”? Everything encrypted? All I need is vShield? Twelve character passwords? Logging everything to a SIEM? Updating patches?

The list goes on. (and on…)

With virtualization, we’re putting a huge responsibility on the infrastructure to be secure. Unfortunately, some still treat it as an application and forego things like design. Security is still a “bolted on” construct. IT and Security are still not working together.

Because of the complexity, we need to use more tools. We need to automate and be able to work at scale. IMHO, “Cloud” is not about IaaS, PaaS, SaaS or any of the other *aaS’s. Cloud is about Scale. That means security needs to be able to scale. That means we CAN’T keep doing things the way we always have. (a better excuse for an audit I have not found!)

Some of these tools, performance monitoring, patching, updating, logging, you will find in the quiver of the IT professional.. All tools that the Security Professional should be getting a feed from and understanding how to apply that feed to security.

Hopefully, in the not too distant future, we can provide the ability to make better sense of that data in real time to help better secure the virtual environment. You can start today with using that data to ensure that compliance and visibility requirements are met. If you want a silver bullet, that’s a good place to start!